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Abstract 

This article presents an analysis of the secure key broadcasting scheme proposed 
m^J . by Wu, Ruan, Lai and Tseng [11]. The study of the parameters of the system is 

based on a connection with a special type of symmetric equations over finite fields. 
We present two different attacks against the system, whose efficiency depends on the 
choice of the parameters. In particular, a time-memory tradeoff attack is described, 
effective when a parameter of the scheme is chosen without care. In such a situation, 
more than one third of the cases can be broken with a time and space complexity in 
the range of the square root of the complexity of the best attack suggested by Wu 
et al. against their system. This leads to a feasible attack in a realistic scenario. 
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1 Introduction 

The goal of this article is to present an analysis of a key distribution scheme taking place 
in a multicasting system. The system has been developed by Wu, Ruan, Lai and Tseng, 
see |llj , in order to propose a new solution to the problem of transmitting securely keys 
in the context of multicasting. In such a context, the security of the transmission must 
be coupled with the imperative of being able to manage groups of users sharing the same 
key where typically one wants to deal with users leaving a group after some time, new 
users joining different groups, etc... The solution of Wu et al. is based on a particular 
finite field construction and its security relies on the computational difficulty of a prob- 
lem that appears to have not been studied rigorously up to now. 

The problem, presented in more details in Section [2] below, takes place in a finite 
prime field ¥ p where a n-th degree polynomial / is given and consists in finding k € F p 
so that f(x) — k splits into linear factors in ¥ p , provided that such a k exists. We will 
see that this problem is directly connected with the so-called systems of power equations 



'Partially supported by SNF Grant No. 121874. To appear in Journal of Mathematical Cryptology, 
Vol. 6, 1 (2012), pp. 69-80. 



[6j [12] . Indeed, the problem is equivalent to solving an inhomogeneous system of n — 1 
power equations in n variables with degrees running from 1 to n — 1. This type of equa- 
tions with symmetries are known to be generically hard to solve computationally, see e.g. 
[HE], and they often appear as test case when evaluating algorithms whose goal is to 
find solutions of systems of polynomial equations. For instance, at the time of writing, 
these problems are computationally intractable as soon as the degree of the system is as 
large as 30, even in a finite field with moderate size. In the current situation, the degree 
of the system can potentially be a few thousand and the finite field size should be chosen 
larger than 2 80 . It is however worth noticing that the special form of the equations S n 
described below might turn out to be in fact easily solvable, but the author of the article 
is unaware of any algorithm capable of performing this task efficiently. 

Even though the connection with systems of cyclic power equations does not lead to 
a feasible computational solution of the initial problem underlying the system of Wu et 
al., this link will allow us to shed light on the expected number of solutions of the initial 
problem. This will be explained in Section [3) Since Grobner bases methods as well as 
different linearization techniques do not appear to threaten the security of the system 
in the generic case, we will focus in Section [J] on the case where the order p of the finite 
field has been chosen without care. Based on this assumption, two different attacks will 
be presented. In particular, a time-memory tradeoff attack against the system will be 
developed whose time complexity T and memory complexity M satisfy TM = 0{p\v? p) 
and are both in the order of the square root of p in more than one third of the cases. 
We would like to point out that in such a realistic situation the time-memory tradeoff 
attack can be potentially realized on a system where the parameters have been chosen 
as described in [TT] . 

All the computations and equalities in this article should be clear from the context. 
The natural logarithm and the logarithm in base 2 are denoted by In and log 2 respectively. 
We will follow the standard asymptotic notations, as in e.g. [5], such as o, O and <C. We 
will write f(n) ^ g(n)(l + o(l)) when / and g satisfy liminf n _ i , 00 (/(n)/g(n) — 1) > 0. 

2 The Key Broadcasting Scheme of Wu et al. 

Let us now present the technical details of the key distribution scheme in secure multi- 
casting of Wu, Ruan, Lai and Tseng. We refer the reader to the original paper [TT] for 
a more detailed description of the broadcasting setting and on the argumentation of the 
benefits of the system. The ground parameters of the multicasting system are a large 
finite prime field F p and a family % of hash functions with values in F p . Each user of 
the system receives a private key a € F p that is fixed for a given time period and that is 
known to the key management authority. When the key management authority wants 
to broadcast a key k to n distinguished users of the system with private keys a\ , . . . , a n , 
he selects a hash function h 6 Ti and expands the monic n-th degree polynomial / in 
¥ p [x] as follows: 




f{x) = {JO - h(ai)) + k = x n + Y,b: 



n—j 
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The management authority sends to the n users the n coefficients bj together with the 
hash function h. Since the polynomial /, the so-called "secure filter" in [11], satisfies 
f(h(a,i)) = k for all i = 1, . . . , n, the n distinguished users can compute the key k. 
The system is secure in the sense that an unauthorized user who wants to have access 
to k faces the problem to recover this field element from the broadcasted parameters 
60,61, . . . ,6 n _i and h. The designers of the system state in Section 3.3] that k can 
only be obtained from the constant term 60 since 60 = k + Y\a=i M a «) an d not knowing 
the h(ai)'s makes it infeasible because the finite field size p is too large. 

The distribution of the n field elements 6j represents a transmission of nlog 2 (j>) bits. 
The distribution of the hash function is not explained in the original setting |1TJ, how- 
ever in order to balance the security between the choice of the key k and the function 
h, the number of possible hash functions should be at least as large as p. For instance, 
it would be possible to fix a cryptographic hash function h, and define % = {/i c }ceF p 
where h c (x) = h{h(x) + c). In doing so, any element of % is described with a field 
element. We will therefore assume that the key distribution requires 0(n log 2 (p)) bits 
of transmission. This is however not a limiting requirement in our analysis. When a 
fixed hash function h is used for each broadcasting, the system is not immune against 
attacks during different phases of the scheme, as described in [13]. However, when the 
hash function is different for each transmission, as suggested as vulnerabilty fix in |13j . 
the system becomes exactly the one described above. We would like to point out that 
it is in the interest of the designer to select the size of p in order to balance the security 
and the transmission cost. In a multicasting environment, the value n can potentially 
be quite big (up to a few millions), leading to a choice of the size of p as small as the 
security concerns would allow. With this in mind, we will naturally assume in the sequel 
that n < p. 

The brute force attack suggested by the authors relies on testing the p possible keys 
k € F p . This exhaustive search can potentially be directly operated on the system the 
key is supposed to enable, but it is also possible to run the following algebraic test. The 
polynomial / and the key k are such that f(x) — k splits into linear factors over ¥ p . This 
means that f(x) — k divides the product of all linear monic polynomials, which is x p — x, 
see e.g., [7]. This is equivalent to write that 

x p -x = mod (f(x) — k). (2.2) 

Testing the previous equality can be done in 0(log 2 (p)) modular polynomial operations, 
using repeated square and multiply techniques in the ring ¥ p [x]/(f(x) — k), see e.g. 
[9]. Any k that fulfills the previous equation is a candidate. The expected number 
of candidates is analyzed in the next section and turns out to be small as soon as 
n = 1^7^(1 + 0(1)). This leads to a brute force attack with time complexity 0{p\og 2 {p)) 
and space complexity 0(n log 2 (p)) when n is large enough. A realistic situation could 
be the following. The finite field is selected to have p = 2 75 elements, so that the brute 
force attack has a complexity of more than 2 80 modular polynomial operations. As soon 
as n ^ 15, only a few k € ¥ p will satisfy Eq. (|2.2p . With n = 100000 users (a factor of 
40 less than some currently used pay-TV systems [IQ]), the multicasting system would 
need to broadcast almost 1 megabyte of information. 
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3 Connection with Systems of Power Equations 



Our first goal is to find an estimation of the number of possible candidates k G ¥ p 
satisfying Eq. (|2.2p and to determine how difficult it is to compute one of these. In order 
to do so, we will make use of a special type of polynomial equations over F p . Let us 
consider S n = S n (si, . . . , s n -l)> the following system of n — 1 consecutive power equations 
in n variables: 

X% + X 2 + ■ ■ ■ + X n = Si 
x\ + x\ + . . . + X 2 n = S 2 

x\ + x\ + . . . + x^ = s 3 



C-i -j - Xn -)-...-)- X~ 



Notice that if one more power equation of degree n would be available, then the system 
would be solvable in expected polynomial time, see e.g. [12] and [7] for the use of it 
in decoding BCH codes. The above system is non-trivial because this last equation is 
missing. Recall that the coefficients of the polynomial 

n Ti—l 
Y[(x- Xj ) =X n + Y,Zn- j X j (3.1) 

are explicitly related to the sum of the powers of its roots Xj via Newton's identities, 
that have the following form, see e.g. [8], 

e j = F j (8 1 ,...,8 j -i)-(-l¥% (3.2) 
for some specific algebraically independent polynomials Fj G F p [yi, . . . ,Uj-i], j > 0. 

s 2 

For instance, e\ = s\ and e 2 = — 4p The special triangular shape of the equations 
(see e.g. [8]), i.e., the fact that Fj depends on s\, . . . , Sj-i only, together with the affine 
dependence between ej and Sj has several implications. 

First, one can recursively compute Sj for j = 0, . . . , n — 1 in polynomial time as 
soon as the ej are given for j = 0, . . . , n — 1 (note that since we assumed n < p, the 
division by j in the last term of (13. 2D is never a problem). Therefore solving the initial 
problem (|2.2[) with unknown k is equivalent to solving the system S n with bj = ej for 
j = 0, . . . , n — 1 since computing any Xj = h{aj) is essentially equivalent to computing k 
(factoring splitting polynomials in ¥ p can be done in expected polynomial time). This 
gives some confidence in the general difficulty of breaking the multicasting scheme, since 
solving S n for randomly chosen s±, . . . , s n _i seems to be a difficult task, as explained in 
the introduction. 

Second, the number of solutions of S n is related to the number of possible k such 
that (|2.2p holds. If we consider two solutions of S n to be the same if one is obtained from 
the other by a permutation of its components, then there is a bijection between the set 
of solutions of S n and the set of possible k satisfying (|2.2p . Indeed, if (x%, . . . , x*ri) is a 
solution of S n then k = /(xq) — n^i 1 x i satisfies (|2.2p . and any k satisfying (|2.2p gives a 
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completely splitting polynomial f{x) — k with a unique set of roots, up to permutations. 
If $7 n is the set of unordered n-tuples of elements of ¥ p , then a solution of S n is an 
element of Q n and |f2 n | = ( p+ ™~ 1 )- 

Finally, let us focus on the expected number of possible k satisfying (|2.2p . when 
the coefficients of the polynomial f{x) are independently and uniformly distributed at 
random in ¥ p . The triangular shape and the affine dependence described above imply 
that the Sj are independently and uniformly distributed in ¥ p if and only if the same 
is true for the ej. This comes from the fact that if X and Y are independent random 
variables, with Y being uniformly distributed, then X + Y is uniformly distributed. 
Therefore, when the n — 1 coefficients of strictly positive degree of the polynomial f(x) 
are chosen independently and uniformly at random in ¥„, the expected number of k 
satisfying (|2,2p is equal to the expected number N of solutions of S n (si, . . . , s n _i), when 
si, . . . , s n -i are independently and uniformly distributed at random in ¥ p . For a G Q, n , 
let us write lg n r a \ =0 for the indicator function of the set {a G Vt n \ a is a solution of S n }. 
The number N can be computed as follows: 



N 



— j- ^2 |{a G f2 n | a is a solution of S n (s)}\ 

— 1 S n (s)(a)=0 



E E 1 



S„(s)(o)=0- 



Since for a fixed o G O n there is a unique s £¥ p 1 such that a is a solution of S n (s), we 
obtain that 

, (p+n-l\ 

N = ^y l = Lni. 

Let us summarize the situation with the following lemma: 

Lemma 3.1 Let bi, . . . , 6 n -i be independently and uniformly distributed elements in ¥ p 
and let f(x) = x n + X/j=i bn-jX^ . The expected number of elements k G F p such that 

/p + n-l\ 

f(x) — k splits into linear factors in ¥ p is p n-i ■ 

In the context of the secure key broadcasting scheme under consideration, the previous 
lemma can be used, since in this case the 6, 's being obtained by evaluating algebraically 
independent polynomials at values of a cryptographic hash function, it is natural to con- 
sider that they will behave like independent and uniformly distributed random variables 
over F p . Notice that 



W=a-n( 1+ i)=^- p (l + "(TjJ- (3 - 3) 

This asymptotic expression invites us to separate two situations, when n = 0(p 1 ^ 2 ) and 
when n is essentially larger. We will not address the latter since it does not fit any 
plausible setting: the prime p needs to be very large in order to give the system its 
security, and n represents a number of users, making the hypothesis n S> p 1 / 2 quite 
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improbable. We will therefore assume from now on that n = 0(p 1 / 2 ) (even though 
n = p l l 2 (l + o(l)) is also quite improbable). In this situation, the expected number 
of solutions essentially depends on the term p/n\. We will make use of the following 
technical lemma. 



Lemma 3.2 If n\ = r then 



ln(r/e) ,„ 
n = t— — - — (1 + o(l)) 



where W is the Lambert W function that satisfies W(t) exp(W(i)) = t and 



1 lnlni lnlnt /lnlni \ \ 
W{t) = Ht) . {l - — + — +0 t—) ]=,„(,). (1 + (> (1)). 



Proof: Since In is increasing, we have J"™ ln(x) dx X^=i m (0 ^ Ji l n (l + x ) dx and 
this leads to e(^) n < n! ^ e (2+l)«+ 1 . By continuity, there exist < c < 1 with 
e (^T^) n+c = r - Thus (S^tS) - ^ 1 " = (r/e) 1//e . Solving this equation for 2^ is performed 
with the help of the Lambert W function, defined as the unique solution of the equation 
W(t) exp(W(t)) = t for t ^ 0, see [2]. In fact if x x = y then e lnx lnx = Iny thus 
lnx = W^lny), leading to x = exp(VF(lny)) = p^rc^A ■ Finally we obtain 

n + c_ ln^r/e) 1 / 6 ) 
e ~ ^(ln^r/e) 1 ^))' 

and thus 

ln(r/e) „ , . , 
W(±ln(r/e)) 

The final estimation of W is Eq. (4.19) of [2, page 349]. □ 

The two previous lemmas together with the expression (I3.3P have the following applica- 
tion: 

Proposition 3.3 Let p be a prime number, n = 0{p 1 / 2 ), b\, . . . ,b n -i be independently 
and uniformly distributed elements in ¥ p and let f{x) = x n + Y^j=x b n -^xK When 
n in"n p (l + (1))j ^ e expected number of element k £ F p suc/i i/tai /(x) — k splits into 
linear factors in ¥ p is 0(1). 

Proof: With the assumption n = 0(p 1 ^ 2 ), the value of /p n_1 is a constant factor 

away from p/n\. Solving the equation n! = p via Lemma 13.21 leads to 

_ ln(p/e) ^ (1))— ^ n (^) ^ _|_ Q)) 

ln(l/e ln(p/e)) ln(ln(p)) 

Therefore as soon as the condition n ^ in°n P (l + °(1)) i s fulfilled, the conclusion of the 
proposition holds, due to Lemma [XT] and Eq. (|3.3p . □ 
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The effective value 0(1) in the above proposition is trivially if no such k exists. Com- 
puter simulations tend to show that when p is reasonably large and such a k exists, as 
soon as n ^ hip, the value O(l) is 1 with overwhelming probability, i.e., k is then unique. 
Taking back the example described in Section [21 when p is a 75 bit prime number, then 
as soon as a secret key is broadcasted to n > 15 users, being able to solve Eq. (|2.2p is 
enough to recover k with high probability. 

The consequence of the above proposition can be summarized in the following terms. 
Any algorithm that solves the problem of finding all k 6 ¥ p such that x p — x = 
mod (f(x) — k), where f{x) is a monic n-th degree random polynomial and n ^ \^_ p ' 
(1 + o(l)), can be used to break the key distribution scheme in secure multicasting of 
Wu et al. [11] described in Section [2j 

4 Cryptanalysis of the Scheme 

In this section we present two different approaches that tackle the security of the system. 
The first one is effective when n is unusually large compared to p, i.e., when n is not far 
away from p 1 / 2 . The second one uses the existence of average size divisors of p — 1. 

4.1 Attack when n = p 1 / 2 e with small e 

When the number of users n is large compared to p, a simple algebraic procedure can 
reveal with sufficiently large probability the secret key k. The key point is that the 
polynomial f(x) takes the value k much more often than a random polynomial. In fact 
for a truly random monic n-th degree polynomial g the expected number of roots of 
g(x) = k is one. In our case, it is n. So for a random field element a, the probability 
that f(a) = k is n/p and by computing 

r a (x):=x p -x mod (f(x) - f(a)), 

we expect to find r a (x) = after p/n trials. In view of Section [3j as soon as n ^ 
i^l^ p • (l + o(l)), then a = h(a{) for some i with overwhelming probability. If the quotient 
n/p is too small, then there is no hope this approach can lead to an efficient algorithm, 
but if n = p l / 2 ~ £ with a small e, then the situation is different. Computing r a requires 
0(log 2 £>) modular polynomial operations, which leads to an attack with an expected 
complexity of 0{p l / 2+e lnp) modular polynomial operations. For example, when p is 
a 64 bit number and n is as large as a million, i.e., n = 2 20 , then e = 3/16, and the 
complexity of the attack is roughly 2 50 modular polynomial operations, compared with 
2 70 for the exhaustive search on k described in Section [2l 

4.2 Time-memory tradeoff attack 

A more direct approach to the problem of finding an element k such that the modular 
equation x p — x = mod (f(x) — k) is fulfilled is to consider k as a variable and 
develop and reduce the equation in terms of the powers of k. More precisely, since 
f(x) = x n + J2j=o bn~jxi , then x n = — ^Cj=o b n -jX^ + k mod (f(x) — k), and the power 
x p can be reduced modulo this equality. In other words, when working in ¥ p [x, y] we can 
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write 

n-1 

x p - x = Ci(y)x % mod (/(») - y) . 

i=0 

The polynomials Cj fulfill then the condition Ci(k) = for all i since when y takes 
the value k, the polynomial in x is identically 0. If we could compute explicitly the 
polynomials Cj then we could recover k since with very high probability k would be their 
only common root, and therefore 

x — k = gcd{c«(x), i = 0, . . . , n — 1}. 

In any case, the number of linear factors is 0(1) as soon as n ^ + as 

discussed in Section [3] above. However one readily verifies that the degree of the Cj's is 
\j)/n\ and in our case the memory needed to work with these polynomials is unrealistic 
because pjn is too large, specially when n<p, There exists however a turn around. Let 
us factorize the order of F* as p — 1 = d\d 2 with d\ > 1. If k 7^ then k dld-2 = k^ 1 = 1 
and thus k dl can only take d 2 values, i.e., the d 2 roots of unity in F p . In fact if (3 is a 
primitive element of F p and 

S := {uj E F p I uo d2 = 1} = {wj I ojj = /3 j V for some j = 0, . . . , d 2 - 1} 

then k dl = uij for some ujj € S. Notice that the elements of S can be efficiently computed 
since primitive roots are easily found, see e.g. [5]. For a given uj £ 5, let 1^ be the ideal 
in F p [x,y] generated by the polynomials f(x) — y and y dl - uj. In the quotient ring, we 
have 

x p - x = ^2 c i,w(y) x% mod 4» 

i=0 

where the polynomials Cj jtJ satisfy Ci jUJ (y) = Ci{y) mod — w). Therefore, the degrees 
of all Cj jW are bounded by di — 1 and when uj = uij, we have Ci^{k) = 0. The computation 
of the polynomials Ci )U1 can be performed quite simply: when computing x p mod 1^ by 
any square-and- multiply technique in ¥ p [x, y], reduce at each step all the terms of degree 
larger or equal than n for x with x n = — Sj=o ^n-jX^ + y and those larger or equal than 
d\ for y with y dl = uj. The time- memory tradeoff algorithm consists in testing all d 2 
possible uj until a common linear factor of the n polynomials Cj^ is found, revealing the 
secret key k. Note that the cost of the greatest common divisor computation is O(lndi) 
modular polynomial operations. The memory requirement is M = <iilog 2 p bits, the 
time requirement is T = 0(^2 In pin di) modular polynomial operations, and we have 
TM = 0(pln 2 plndi). 

Clearly the quality of this approach depends on the factorization of p — 1. The case 
where p is a strong prime, see [9], i.e., p = 2q + 1, with q prime, is immune against the 
previous attack. However as soon as p — 1 has a factor d\ with t bits, and if sufficient 
memory is available, then the time needed to compute the secret key from the public 
data is decreased by a factor of roughly 2* compared to the brute force described earlier. 
It is worth mentioning that the original scheme has no indication on the choice of the 
special form of p. The case of the example presented in Section [2] is illustrative. When 
p — 1, a 75 bit number, has a factor in the range of 2 40 , which corresponds to a few 
gigabytes of memory, the cost of the attack is reduced to roughly 2 45 modular polynomial 
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computations, much less than 2 , which corresponds to the cost of the brute force search, 
and is feasible by an attacker with realistic power. 

Let us briefly study the conditions required in order for the above attack to terminate 
with a time and memory requirement in the order of the square root of p. This boils 
down to determine how often a prime p is such that p — 1 has a factor in the range of 
p 1 ! 2 . For ^ a < /3 ^ 1, let N(x, x a , x^) be the number of primes p ^ x such that p — 1 
has a factor d such that x a ^ d ^ x 13 . There exist constants r and B, that depend on a 
and /3, such that 

Vx > B , N(x, x a , X P) > (4.1) 

mx 

This is [U Theorem 7]. Taking into account that there are j^(l + o(l)) primes smaller 
than x, Eq. (14. ip above states that for sufficiently large x, the proportion of primes p ^ x 
such that p—1 has a factor in [x a , x^] is larger than a fixed ratio. For example, computer 
simulations on prime integers ranging from 30 bits to 85 bits showed that when a = 0.475 
and (3 = 0.5, r ^ 0.33 seems to fit the reality. This means that for approximately a third 
of the randomly chosen large finite prime fields, the above attacks can be mounted with 
a time and memory complexity in the range of the square root of the field size. The ratio 
jumps to r > 0.59 for a = 0.33 and (3 = 0.5, corresponding to a time-memory tradeoff 
of at least 2/3-1/3 bit complexity in almost 60 % of the cases. 

5 Conclusion and Acknowledgments 

The key distribution system developed by Wu et al. aims at solving the problem of 
key management in a potentially insecure multicasting environment. We presented an 
analysis of the system by shedding light on the security implied in the choices of the two 
main parameters of the scheme p and n. Two different attacks have been presented, both 
being efficient when some conditions are fulfilled, exhibiting a family of weak parameters. 
For instance, when n p and p is a strong prime, the scheme is immune against both 
the attacks. 

The author would like to thanks Jens Zumbragel for early talks on this subject, as 
well as the people of the Vienna Workshop for fruitful discussions. 
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